Going to Saturday or Sunday football games is an activity enjoyed by most European fans. Football clubs, like Manchester City in the UK and Brøndby IF in Denmark, are considering employing automated facial recognition (AFR) technology at their home stadiums against strong opposition by privacy rights groups.
Manchester City, the Premier League champions, are considering introducing technology allowing fans to get into the Etihad Stadium more quickly by showing their faces instead of tickets, according to the Sunday Times. City will employ facial recognition technology acquired by Blink Identity, a Texas-based company, which can identify people walking at regular speed, so fans will not need to slow down to show a ticket. To opt-in, supporters would need to register a selfie taken on their phone. Blink Identity says it is also possible to “collect usable and sharable data” on every person that walks through its facial scanning software.
At the same time, the Danish Soccer club Brøndby IF has announced that an AFR technology will be deployed at Brøndby Stadium. The news report says it will be used to identify persons that have been banned from attending Brøndby IF soccer matches for violations of the club’s own rules of conduct during past games. The AFR system will work by using cameras that scan the public area in front of the stadium entrances, so that persons on the ban list can be ”picked out” from the crowd before reaching the entrance.
Both developments were met with strong criticism by privacy rights groups. In the UK, Hannah Couchman, the policy and campaigns officer at Liberty, said:
“This is a disturbing move by Manchester City, subjecting football fans to an intrusive scan, much like taking a fingerprint, just so they can go to the Saturday game. It’s alarming that fans will be sharing deeply sensitive personal information with a private company that boasts about collecting and sharing data on each person that walks through the gate, and using this to deny people entry. Manchester City should urgently reconsider their involvement in normalizing a mass surveillance tool.”
In Denmark, the use of AFR technology at Brøndby Stadium comes with prior approval from the Danish Data Protection Authority (DPA) which is a requirement in the Data Protection Act. European Digital Rights (EDRi) association has warned that the Danish DPA decision
“is rather difficult to understand in the present case. AFR is one of the most invasive surveillance technologies since a large number of persons in a crowd can be identified from their biometrics (facial images) and automatically catalogued based on matches with pre-defined watch lists. At the same time, AFR is a very unreliable and inaccurate technology with known systematic biases in the form of higher error rates for certain ethnic minorities.”
GDPR Article 9 prohibits the processing of sensitive personal data, such as AFR generated biometric data, for the purpose of uniquely identifying a person unless one of the conditions specified in Article 9(2) applies. The explicit consent of the data subject is one of these conditions, and generally speaking the most relevant one for private controllers, such as football clubs. “Consent cannot be the legal basis for using AFR at a football stadium though, since consent must be voluntary,” says EDRi.
In addition to explicit consent, GDPR Article 9(2)(g) allows processing of sensitive personal data if the processing is necessary for reasons of “substantial public interest, on the basis of EU or Member State law, which must be proportionate to the aim pursued.” The law must provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Astird Mavrogenis of the Danish DPA has admitted that “there is no definite definition of essential societal interests. This is based on the specific situation.” Is “improving fans’ experience at the stadium” a substantial public interest?